In December 2013, the chief financial officer (CFO) at Fortelus Capital Management, a London-based hedge fund, received a phone call from an individual purporting to be from Coutts, the firm’s bank. This individual told the CFO that there had been suspicious transactions on the company’s bank account.
The CFO proceeded to provide this individual with the relevant information to cancel these erroneous transactions. The following week, the CFO discovered that $1.2 million was missing from the hedge fund’s bank account. Coutts said they had no record of any telephone conversation taking place. The CFO was subsequently fired and is presently being sued by his former employer.
This is just one example of the many cyber-threats which financial institutions are facing, and it is a danger that is finally being recognised. A survey of clients by the Depository Trust & Clearing Corporation (DTCC) in May 2015 found 46% identified cyber-crime as the biggest risk to capital markets, nearly double from 2014.
This fear is justifiable. A study in 2013 by the then Committee on Payment and Settlement Systems (CPSS) and the International Organization of Securities Commissions (IOSCO), in conjunction with the World Federation of Exchanges found more than half of the 46 exchanges in the survey had suffered a cyber-attack over the previous year. Analysis by the US Securities and Exchange Commission (SEC) found 88% of broker-dealers and 74% of investment advisers had encountered cyber-threats directly or through a third party.
The types of attack are varied and may include Distributed Denial of Service (DDoS) attacks, installation of malware or leakage of confidential data. Analysis by British Telecom (BT) found roughly 41% of global businesses had been subject to a DDoS. These attacks are perpetrated by a number of different entities including hostile nation states, sophisticated criminal gangs or even disgruntled employees.
It is something hedge funds need to take seriously. Some firms have been evidently complacent. These managers argue that they keep their heads below the parapet and are sufficiently small to escape the radar of cyber-attackers. This attitude is dangerous. If anything, smaller hedge funds are probably more vulnerable than most other financial institutions as they do not possess the technology budgets of banks and market infrastructures to ward off serious cyber‑attacks.
Grave consequences
The implications of falling victim to a cyber-threat are serious. The costs of cyber-crime are significant. The UK government confirmed a single business had incurred losses of £800 million due to a cyber-incident, although the overall costs worldwide run into the hundreds of billions of dollars.
Many hedge funds, particularly quantitative or computer-driven strategies, utilise proprietary algorithms. Should these algorithms be leaked, it would wreck their businesses, particularly if they were passed onto third parties. Hackers could even breach portfolio management systems and enter erroneous trades in what would also have a devastating impact.
The reputational risk of falling victim to a cyber-attack is serious. KPMG surveyed institutional investors running more than $3trn and found that 79% would not put money in a business which had been hacked.
“The boards of hedge funds have a fiduciary duty to the funds they serve and the investors in those funds. Apart from the reputational risk, getting hacked raises some serious legal issues. There may be statutory liabilities for breach of confidentiality. Hedge funds, like any other financial institution rely heavily on information technology which makes them vulnerable to data risk. Ensuring the integrity and security of data is vital to protecting sensitive investor information and also the proprietary information and intellectual property of the hedge fund,” said Sean Scott, partner at Harney, Westwood & Riegels, an offshore law firm.
Regulators are scrutinising managers’ cyber-policies. The SEC has been particularly active, having announced in 2014 that its Office of Compliance Inspections and Examinations (OCIE) would be reviewing the cyber-policies of asset managers and broker dealers in its regulatory examinations.
Both the Central Bank of Ireland (CBI) and UK Financial Conduct Authority (FCA) are putting cyber-security on their agenda as well. “Regulators worldwide are or will be reviewing the cyber-policies and procedures amid concerns over deficiencies. Cyber-security is a hot topic for regulators and investors alike. It is definitely something hedge funds managers should be aware of,” commented Scott.
Next steps
The SEC has published guidance for asset managers around cyber-security. Most of the recommendations focus on getting the basics right, which should mitigate the risk of the majority of cyber-attacks. The SEC guidance recommends managers undertake assessments of how sensitive data is being stored, implement security controls, ensure governance procedures are in place to deal with threats and have a plan to deal with any attack.
Firms have been urged to ensure they have firewalls in place and restrictions around access to sensitive data, and if necessary encryption. Managers are advised on restricting employees’ use of USB sticks, or at least have surveillance over what has been downloaded onto removable storage devices. Most importantly, firms need a response plan in place to deal with a live cyber-attack.
All of these procedures and policies should be written down and routinely tested. This is something that institutional investors are reviewing.
Many small to mid-sized managers outsource much of their technology to third party vendors. Again, the SEC has told these managers to make sure those providers adhere to the highest standards of data security, and recommends manager conduct thorough initial and on-going operational due diligence on those providers’ cyber-security policies. It is also crucial managers undertake due diligence on contractors, such as maintenance staff, who will have privileged access to the business.
“Outsourced service providers regularly handle large amounts of sensitive data on behalf of hedge funds, so managers need to ensure they regularly assess and monitor those providers. Boards and managers should be taking appropriate measures to safeguard their businesses against cyber-crime,” said Scott.
Hedge funds need to collaborate in order to address the challenges faced by cyber-criminals. The DTCC has recommended regulators and financial institutions engage each other on how to mitigate the risks posed by cyber-criminals. “There needs to be better communication about the ways in which cyber-crime can be addressed. The hedge fund industry should certainly be part of this debate. It is certainly something industry associations and service providers are increasingly alerting their members to,” said Scott.
Cyber-crime a clear and present danger for hedge funds
Cyber-crime is becoming a pressing issue for hedge funds, so how do they safeguard against the growing virtual threat?
« BNP Paribas to provide clearing and settlement for mid-cap house